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This listing of claims will replace all prior versions, and listings, of claims in the 

application: 
Listing of Claims: 

1 . (Currently Amended) A method for the secure transmission of data from a distributor 
to a client over a computer network, the method comprising: 

(a) encrj'pting the data using an encryption confidentiality key known to the client but not 

the distributor; 

(b) storing the encrypted data at the distributor; 

(c) generating a message by further encrypting the encrypted data using an encryption 
transmission key, the corresponding transmission decryption key being known to the client; and 

(d) transmitting the message to the cUentj. 

wherein said client is adapted to use cryptographic keys but not to generate them, instead 
requesting a key from the distributor as required . 

2. (Original) A method as claimed in claim 1 in which, on receipt of the message, the 
client confirms the integrity of the transmission by decrypting the message using the 
transmission key. 

3. (Original) A method as claimed in claim 2 in which the client confirms the 
confidentiality of the data by decrypting the encrypted data using a confidentiality decryption 
key corresponding to the confidentiaUty encryption key. 
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4. (Previously Presented) A method as claimed in claim 1 in which the data comprises 
or includes a cryptographic key. 



5. (Previously Presented) A method as claimed in claim 1 in which the data comprises 
or includes a program. 

6. (Previously Presented) A method as claimed in claim 1 in which the data comprises 
or includes license or configuration information. 

7. (Previously Presented) A method as claimed in claim 1 in which the distributor 
provides key management functions, for example key generation, for the client. 

8. (Canceled) 

9. (Previously Presented) A method as claimed in claim 1 in which the distributor 
comprises a repository in communication with a plurality of providers, each provider being 
responsible for sending messages to one of a plurality of clients. 

10. (Previously Presented) A method as claimed in claim 1 in which the encrypted data 
is stored in a non-secure part of the repository. 
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1 1 . (Previously Presented) A method as claimed in claim 1 in which the providers 
include respective insecure computers which relay to the users messages generated by the 
repository. 

12. (Previously Presented) A method as claimed in claim 1 in which the providers 
include respective secure computers. 

13. (Previously Presented) A method as claimed in claim 1 in which each secure 
computer within a provider generates messages using a cryptographic key obtained jfrom the 
repository. 

14. (Original) A method as claimed in claim 9 in which encrypted data held within the 
repository is divided into data sets, each data set being associated with a respective policy which 
defines how the data within the data set may be used. 

15. (Original) A method as claimed in claim 14 in which data from a particular data set, 
when sent by the provider, is accompanied by the respective poHcy. 

16. (Original) A method as claimed in claim 15 in which the policy is run by the 
provider. 

17. (Previously Presented) A method as claimed in claim 14 in which the policy is run 
by the client. 
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18. (Original) A method as claimed in claim 14 in which the poHcy is run by the 
repository. 

19. (Original) A method as claimed in claim 9 in which a plurality of regions are 
defined within the repository, each region containing information on the secure computers that 
are permitted to make requests for or otherwise manipulate data held by the repository. 

20. (Original) A method as claimed in claim 9 in which the said secure computers 
include that of the provider. 

21. (Original) A method as claimed in claim 9 in which the said secure computers 
include those of the clients. 

22. (Previously Presented ) A method as claimed in claim 19 in which encrypted data 
held within the repository is divided into data sets, each data set being associated with a 
respective policy which defines how the data within the data set may be used and in which each 
region fiirther includes a plurality of data sets. 

23. (Previously Presented) A method as claimed in claim 19 in which encrypted data 
held within the repository is divided into data sets, each data set being associated with a 
respective poUcy which defines how the data within the data set may be used and in which each 
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region is associated with a respective region policy which defines how the information within the 
region may be used. 



24. (Previously Presented) A method as claimed in claim 19 in which encrypted data 

held within the repository is divided into data sets, each data set being associated with a 
respective policy which defines how the data within the data set may be used and in which each 
region further contains one or more authority groups, the or each group defining a set of secure 
computers that are permitted to carry out certain tasks. 

25. (Original) A method as claimed in claim 24 in which a given secure computer may 
belong to a plurality of authority groups. 

26. (Original) A method as claimed in claim 24 in which each region includes a region 
authority group which is responsible for administrative functions relating to its respective region. 

27. (Original) A method as claimed in claim 26 in which the region authority group is 
responsible for revoking a secure computer from a region. 

28. (Original) A method as claimed in claim 24 in which the information within the or 
each authority group is encrypted and is confidential from the repository. 

29. (Original) A method as claimed in claim 19 in which the information within the or 
each authority group is encrypted and is confidential from the provider. 
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30. (Original) A method as claimed in claim 19 in which the information within each 
authority group, when there is more than one such group, is encrypted and is confidential from 
other groups. 

3 1 . (Original) A computer security module having means for receiving from a sender a 
message comprising twice-encrypted data, means for confirming the integrity of the message by 
decrypting it according to a protocol known to both the module and the sender, and means for 
confirming that the confidentiality of the data has been preserved by fiirther decrypting the 
decrypted message using a secret known to the module but not to the sender. 

32. (Original) A computer system including a plurahty of clients, each having a security 
module as claimed in claim 31, and a provider arranged to send messages, as required, to the said 
clients. 

33. (Original) A computer system as claimed in claim 32 in which the provider includes 
a secure computer. 

34. (Previously Presented) A computer system as claimed in claim 33 in which the 
secure computer within the provider includes the security module. 

35. (Previously Presented) A computer system as claimed in claim 32 including a 
plurahty of providers, and a repository arranged to send data, as required, to the said providers. 
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36. (Original) A computer system as claimed in claim 32 in which encrypted data is 
stored at the provider, and is re-encrypted prior to being sent as a message to the client. 

37. (Original) A computer system as claimed in claim 35 in which encrypted data is 
stored at the repository, and is re-encrypted prior to being sent as messages to the providers. 

38. (Previously Presented) A computer system as claimed in 31 in which encrypted data 
is stored in a non-secure part of the repository. 

39. (Original) A computer system as claimed in claim 35 in which the providers 
comprise respective insecure computers which relay to the users messages generated by the 
repository. 

40. (Original) A computer system as claimed in claim 35 in which encrypted data held 
within the repository is divided into data sets, each data set being associated with a respective 
poUcy which defines how the data within the data set may be used. 

41 . (Original) A computer system as claimed in claim 40 in which data from a particular 
data set, when sent by the provider, is accompanied by the respective poHcy. 

42. (Original) A computer system as claimed in claim 41 in which the poUcy is run by 

the provider. 
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43. (Previously Presented) A computer system as claimed in claim 41 in which the 
policy is run by the client. 

44. (Original) A computer system as claimed in claim 40 in which the policy is run by 
the repository. 

45. (Original) A computer system as claimed in claim 35 in which a pluraKty of regions 
are defined with the repository, each region containing information on the secure computers that 
are permitted to make requests for or otherwise manipulate data held by the repository. 

46. (Previously Presented) A computer system as claimed in claim 45 in which the said 
secure computers include that of the provider. 

47. (Previously Presented) A computer system as claimed in claim 45 in which, on 
receipt of the message, the client confirms the integrity of the transmission by decrypting the 
message using the transmission key and in which the said secure computers include those of the 
clients. 

48. (Previously Presented ) A computer system as claimed in claim 45 in which 
encrypted data held within the repository is divided into data sets, each data set being associated 
with a respective policy which defines how the data within the data set may be used and in which 
each region further includes a plurality of data sets. 
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49. (Original) A computer system as claimed in claim 45 in which each region is 
associated with a respective region policy which defines how the information within the region 
may be used. 

50. (Original) A computer system as claimed in claim 45 in which each region further 
contains one or more authority groups, the or each group defining a set of secure computers that 
are permitted to carry out certain tasks. 

51. (Original) A computer system as claimed in claim 50 in which a given secure 
computer may belong to a plurality of authority groups. 

52. (Original) A computer system as claimed in claim 50 in which each region includes 
a region authority group which is responsible for administrative fiinctions relating to its 
respective region. 

53. (Original) A computer system as claimed in claim 52 in which the region authority 
group is responsible for revoking a secure computer fi:om a region. 

54. (Original) A computer system as claimed in claim 50 in which the information 
within the or each authority group is encrypted and is confidential from the repository. 
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55. (Original) A computer system as claimed in claim 50 in which the information 
within the or each authority group is encrypted and is confidential trom the provider. 

56. (Original) A computer system as claimed in claim 50 in which the information 
within each authority group, when there is more than one such group, is encrypted and is 
confidential from the other group. 

57. (Original) A method for the seciu:e transmission of data to a client, over a computer 
network, the method comprising: 

(a) providing, at a remote data distributor, encrypted data the decryption of which 
requires knowledge of a secret known to the client; 

(b) opening a secure channel between the distributor and the client, the channel defining a 
cryptographic protocol agreed by both the distributor and client; 

(c) at the distributor, further encrypting the encrypted data according to the protocol to 
generate a secure message, and transmitting the message to the client; and 

(d) at the client: 

(i) confirming the integrity of the transmission by decrypting the message 
according to the protocol; and 

(ii) recovering the data by decrypting the encrypted data using the secret. 

58. (Original) A method as claimed in claim 57 in which the data comprises or includes 
a cryptographic key. 
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59. (Original) A method as claimed in claim 58 in which the distributor provides key 
management functions, for example key generation, for the client. 



60. (Original) A method as claimed in claim 58 in which the cHent is adapted to use 
cryptographic keys but not to generate them, instead requesting a key from the distributor as 
required. 

61. (Original) A method as claimed in claim 58 in which the key is used in a secure 
process by the client. 

62. (Original) A method as claimed in claim 57 in which the data comprises or includes 
a program. 

63. (Original) A method as claimed in claim 57 in which the data comprises or includes 
licence or configuration information. 

64. (Previously Presented) A method as claimed in any one of claim 57 in which the 
secret known to the client is not known to the distributor. 

65. (Original) A method as claimed in claim 64 in which the distributor generates the 
message by calculating encrypt(wrap( (Ke-decrypt), Kw-wrap), Ks) where: 
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(i) wrap (a,b) denotes 'wrap key a with key h\ (ii) Ke-decrypt is the decryption key 
corresponding to an encryption key Ke-encrypt with which the data was encrypted, (iii) Ks is a 
session key generated according to the said protocol, and (iv) Kw-wrap is a wrapping key. 

66. (Original) A method as claimed in claim 64 in which the distributor generates the 
message by calculating Encrypt (B,Ks) where: B has been received by the distributor in advance 
by some secure process, B being defined by wrap( {Ke-decrypt}, Kw-wrap) where: 

(i) wrap (a,b) denotes 'wrap key a with key b', 

(ii) Ke-decrypt is the decryption key corresponding to an encryption key Ke-encrypt with 
which the data was encrypted, 

(iii) Ks is a session key generated according to the said protocol, and 

(iv) Kw-wrap is a wrapping key. 

67. (Previously Presented) A method as claimed in claim 65 in which the client has a 
symmetric entity confidentiality key, Kec-secret, which has been securely transferred in advance 
to the distributor, the distributor then using Kec-secret as Kw-wrap. 

68. (Previously Presented) A method as claimed in claim 65 in which the chent has an 
asymmetric entity confidentiality key pair, Kec-pubhc/Kec-private, Kec-public having been 
securely transferred in advance to the distributor, the distributor then using Kec-public as Kw- 
wrap. 
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69. (Original) A method as claimed in claim 64 in which the message generation 
includes wrapping the encrypted data with a symmetric entity confidentiality key which has been 
securely transferred in advance to the distributor. 

70. (Original) A method as claimed in claim 64 in which the message generation 
includes wrapping the encrypted data with the public part of an asymmetric entity confidentiality 
key pair, the said public part having been securely transferred in advance to the distributor. 

71 . (Original) A method as claimed in claim 69 in which the distributor holds the said 
public part of the key pair confidential. 
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